Systems and methods for selective decryption of encrypted data packets
Abstract
Systems and methods for network traffic monitoring are provided. A system may monitor a first plurality of encrypted data packet exchanges between a server and a plurality of network devices, determine one or more metric baselines corresponding to a plurality of metric types for communication between the server and the plurality of network devices, monitor a second plurality of encrypted data packet exchanges between the server and a second plurality of network devices, identify a set of encrypted data packet exchanges from the second plurality of encrypted data packet exchanges each having a duration exceeding a first threshold, determine an exchange metric for each of the plurality of metric types, identify one or more encrypted data packet exchanges having at least one exchange metric exceeding a metric baseline, and apply a tag to one or more network devices of the second plurality of network devices.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A system comprising:
a network monitoring device connected to a communications network, the network monitoring device configured to monitor network traffic transmitted to and from a server across the communications network, the network monitoring device comprising one or more processors coupled with memory, the memory storing executable instructions that, when executed by the one or more processors, cause the one or more processors to:
monitor a first plurality of encrypted data packet exchanges between the server and a plurality of network devices;
determine, based at least on the first plurality of encrypted data packet exchanges, one or more metric baselines corresponding to a plurality of metric types for communication between the server and the plurality of network devices;
monitor, subsequent to the determination of the one or more metric baselines, a second plurality of encrypted data packet exchanges between the server and a second plurality of network devices;
identify a set of encrypted data packet exchanges from the second plurality of encrypted data packet exchanges each having a duration exceeding a first threshold;
determine an exchange metric for each of the plurality of metric types for each of the set of encrypted data packet exchanges;
identify one or more encrypted data packet exchanges of the set of encrypted data packet exchanges having at least one exchange metric exceeding a metric baseline of the one or more metric baselines of the same metric type; and
apply a tag to one or more network devices of the second plurality of network devices associated with the identified one or more encrypted data packet exchanges identifying the one or more network devices as malicious.
2. The system of claim 1 , wherein the one or more metric baselines correspond to least one of:
a plurality of data packet sizes associated with the first plurality of encrypted data packet exchanges; or
a plurality of inter-packet timings associated with the first plurality of encrypted data packet exchanges.
3. The system of claim 1 , wherein the instructions cause the one or more processors to:
identify a second set of encrypted data packet exchanges from the second plurality of encrypted data packet exchanges, the second set of encrypted data packet exchanges corresponding to a second network device of the second plurality of network devices;
determine, responsive to the identification of the second set of encrypted data packet exchanges, one or more second exchange metrics associated with the second set of encrypted data packet exchanges, the one or more second exchange metrics comprising:
a number of long-duration encrypted data packet exchanges included in the second set of encrypted data packet exchanges; or
a number of short-duration encrypted data packet exchanges included in the second set of encrypted data packet exchanges; and
apply, based at least on the number of long-duration encrypted data packet exchanges or the number of short-duration encrypted data packet exchanges, a second tag to the second network device to identify the second network device as malicious.
4. The system of claim 3 , wherein the instructions cause the one or more processors to:
transmit, responsive to application of the second tag to the second network device, a signal to a computing device, the computing device configured to decrypt the second set of encrypted data packet exchanges to identify given information included in the second set of encrypted data packet exchanges;
prevent, responsive to decryption of the second set of encrypted data packet exchanges by the computing device, subsequent data packet exchanges between the server and the second network device; and
compare the one or more second exchange metrics with one or more third exchange metrics of a third set of encrypted data packet exchanges from the second plurality of encrypted data packet exchanges to identify one or more third network devices of the second plurality of network devices as malicious.
5. The system of claim 3 , wherein the instructions cause the one or more processors to prevent subsequent data packet exchanges between the server and the second network device identified as malicious.
6. The system of claim 1 , wherein the instructions cause the one or more processors to:
determine, responsive to monitoring the second plurality of encrypted data packet exchanges, an amount of time elapsed between a first given encrypted data packet exchange of the second plurality of encrypted data packet exchanges and a second given encrypted data packet exchange of the second plurality of encrypted data packet exchanges, the first given encrypted data packet exchange and the second given encrypted data packet exchange associated with a given network device of the second plurality of network devices;
detect, responsive to determination of the amount of time, that the amount of time is less than a predetermined amount; and
apply, based on the amount of time being less than the predetermined amount, a second tag to the given network device to identify the given network device as malicious.
7. The system of claim 1 , wherein the instructions cause the one or more processors to:
identify, responsive to decryption of the identified one or more encrypted data packet exchanges by a computing device, a network attack attempted by the network device.
8. The system of claim 1 , wherein the instructions cause the one or more processors to:
retrieve, from a data structure, information associated with a given network device of the second plurality of network devices;
determine, responsive to retrieval of the information associated with the given network device, one or more second exchange metrics associated with a second set of encrypted data packet exchanges from the second plurality of encrypted data packet exchanges, the second set of encrypted data packet exchanges corresponding to the given network device; and
apply, responsive to determination of the one or more second exchange metrics, a second tag to the given network device to identify the given network device as malicious.
9. The system of claim 8 , wherein the one or more second exchange metrics comprise at least one of:
a number of short-duration encrypted data packet exchanges included in the second set of encrypted data packet exchanges;
a number of long-duration encrypted data packet exchanges included in the second set of encrypted data packet exchanges; or
an amount of time associated with the second set of encrypted data packet exchanges.
10. The system of claim 1 , wherein the instructions cause the one or more processors to:
identify one or more second encrypted data packet exchanges of the set of encrypted data packet exchanges as one or more short-duration encrypted data packet exchanges;
update, responsive to identification of the one or more short-duration encrypted data packet exchanges, a data structure to identify the one or more second encrypted data packet exchanges as the one or more short-duration encrypted data packet exchanges;
detect, responsive to updating the data structure, that a number of short-duration encrypted data packet exchanges associated with the one or more network devices exceed a predetermined threshold; and
apply, responsive to detection that the number of short-duration encrypted data packet exchanges exceeds the predetermined threshold, the tag to the one or more network devices to identify the one or more network devices as malicious.
11. The system of claim 1 , wherein instructions cause the one or more processors to:
identify the one or more encrypted data packet exchanges as one or more long-duration encrypted data packet exchanges;
update, responsive to identification of the one or more long-duration encrypted data packet exchanges, a data structure to identify the one or more encrypted data packet exchanges as the one or more long-duration encrypted data packet exchanges;
detect, responsive to updating the data structure, that one or more second exchange metrics associated with the one or more long-duration encrypted data packet exchanges are different from the one or more metric baselines; and
apply, responsive to detection that the one or more second exchange metrics are different form the one or more metric baselines, the tag to the one or more network devices to identify the one or more network devices as malicious.
12. The system of claim 1 , wherein the first plurality of encrypted data packet exchanges comprise at least one of one or more short-duration encrypted data packet exchanges or one or more long-duration encrypted data packet exchanges, and wherein the one or more short-duration encrypted data packet exchanges occur in less than 500 milliseconds.
13. A method, comprising:
monitoring, by one or more processors, a first plurality of encrypted data packet exchanges between a server and a plurality of network devices, the one or more processors connected to a communications network, and the one or more processors configured to monitor network traffic transmitted to and from the server across the communications network;
determining, by the one or more processors based at least on the first plurality of encrypted data packet exchanges, one or more metric baselines corresponding to a plurality of metric types for communication between the server and the plurality of network devices;
monitoring, by the one or more processors subsequent to the determination of the one or more metric baselines, a second plurality of encrypted data packet exchanges between the server and a second plurality of network devices;
identifying, by the one or more processors, a set of encrypted data packet exchanges from the second plurality of encrypted data packet exchanges each having a duration exceeding a first threshold;
determining, by the one or more processors, an exchange metric for each of the plurality of metric types for each of the set of encrypted data packet exchanges;
identifying, by the one or more processors, one or more encrypted data packet exchanges of the set of encrypted data packet exchanges having at least one exchange metric exceeding a metric baseline of the one or more metric baselines of the same metric type; and
applying, by the one or more processors, a tag to one or more network devices of the second plurality of network devices associated with the identified one or more encrypted data packet exchanges identifying the one or more network devices as malicious.
14. The method of claim 13 , wherein the one or more metric baselines comprise at least one of:
a plurality of data packet sizes associated with the first plurality of encrypted data packet exchanges; or
a plurality of inter-packet timings associated with the first plurality of encrypted data packet exchanges.
15. The method of claim 13 , further comprising:
identifying, by the one or more processors, a second set of encrypted data packet exchanges from the second plurality of encrypted data packet exchanges, the second set of encrypted data packet exchanges corresponding to a second network device of the second plurality of network devices;
determining, by the one or more processors responsive to identifying the second set of encrypted data packet exchanges, one or more second exchange metrics associated with the second set of encrypted data packet exchanges, the one or more second exchange metrics comprising:
a number of long-duration encrypted data packet exchanges included in the second set of encrypted data packet exchanges; or
a number of short-duration encrypted data packet exchanges included in the second set of encrypted data packet exchanges; and
applying, by the one or more processors based at least on the number of long-duration encrypted data packet exchanges or the number of short-duration encrypted data packet exchanges, a second tag to the second network device to identify the second network device as malicious.
16. The method of claim 15 , further comprising:
transmitting, by the one or more processors responsive to application of the second tag to the second network device, a signal to a computing device, the computing device configured to decrypt the second set of encrypted data packet exchanges to identify given information included in the second set of encrypted data packet exchanges;
preventing, by the one or more processors responsive to decryption of the second set of encrypted data packet exchanges by the computing device, subsequent data packet exchanges between the server and the second network device; and
comparing, by the one or more processors, the one or more second exchange metrics with one or more third exchange metrics of a third set of encrypted data packet exchanges from the second plurality of encrypted data packet exchanges to identify one or more third network devices of the second plurality of network devices as malicious.
17. The method of claim 15 , further comprising:
preventing, by the one or more processors, subsequent data packet exchanges between the server and the second network device identified as malicious.
18. The method of claim 13 , further comprising:
determining, by the one or more processors responsive to monitoring the second plurality of encrypted data packet exchanges, an amount of time elapsed between a first given encrypted data packet exchange of the second plurality of encrypted data packet exchanges and a second given encrypted data packet exchange of the second plurality of encrypted data packet exchanges, the first given encrypted data packet exchange and the second given encrypted data packet exchange associated with a given network device of the second plurality of network devices;
detecting, by the one or more processors responsive to determination of the amount of time, that the amount of time is less than a predetermined amount; and
applying, by the one or more processors based on the amount of time being less than the predetermined amount, a second tag to the given network device to identify the given network device as malicious.
19. A non-transitory computer readable storage medium comprising instructions stored thereon that, when executed by one or more processors, cause the one or more processors to:
monitor a first plurality of encrypted data packet exchanges between a server and a plurality of network devices, the one or more processors connected to a communications network, and the one or more processors configured to monitor network traffic transmitted to and from the server across the communications network;
determine, based at least on the first plurality of encrypted data packet exchanges, one or more metric baselines corresponding to a plurality of metric types for communication between the server and the plurality of network devices;
monitor, subsequent to the determination of the one or more metric baselines, a second plurality of encrypted data packet exchanges between the server and a second plurality of network devices;
identify a set of encrypted data packet exchanges from the second plurality of encrypted data packet exchanges each having a duration exceeding a first threshold;
determine an exchange metric for each of the plurality of metric types for each of the set of encrypted data packet exchanges;
identify one or more encrypted data packet exchanges of the set of encrypted data packet exchanges having at least one exchange metric exceeding a metric baseline of the one or more metric baselines of the same metric type; and
apply a tag to one or more network devices of the second plurality of network devices associated with the identified one or more encrypted data packet exchanges identifying the one or more network devices as malicious.
20. The non-transitory computer readable storage medium of claim 19 , wherein the instructions further cause the one or more processors to:
identify a second set of encrypted data packet exchanges from the second plurality of encrypted data packet exchanges, the second set of encrypted data packet exchanges corresponding to a second network device of the second plurality of network devices;
determine, responsive to the identification of the second set of encrypted data packet exchanges, one or more second exchange metrics associated with the second set of encrypted data packet exchanges, the one or more second exchange metrics comprising:
a number of long-duration encrypted data packet exchanges included in the second set of encrypted data packet exchanges; or
a number of short-duration encrypted data packet exchanges included in the second set of encrypted data packet exchanges; and
apply, based at least on the number of long-duration encrypted data packet exchanges or the number of short-duration encrypted data packet exchanges, a second tag to the second network device to identify the second network device as malicious.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.